TKO - Built for disaster

I'm a bit worried about the climate. Not as such, but the discussions and allegations on how and why we have a weird climate theses days. Or is it that weird? Some say Americans and Chinese are the crooks in this story. Some say it is the sun activity causing all the fuss. Others point to stolen documents from researchers saying it's all a scam. Wow... conspiracy theorists must thrive on this. Is the Copenhagen climate summit just a new version of Potemkin village?

Thou shalt not... import rosewood from Madagascar! Gibson guitars, Nashville, TN, has been raided by the police under the claims that they import this hefty wood. I'm a Fender guy myself, but poor those Gibson fans...

I guess it was just a matter of time before someone clever would come up with ways to take control over TLS/SSL connections, and here it is. ZDNet and DarkReading have stories around the flaw, and here is the work presentation with examples . Now we just have to wait for the massive patching nights. Update: 2010-01-12 IETF has approved the draft , and coders have an official GO to implement patches for deployment in a larger scale.

As you can imagine from the headline I'm not a big fan of cloud computing. I have too many questions not answered and thus very doubtful. But hey, who am I to judge when guys like David Campbell at Electric Alchemy posts convincing proof of cloud usability on his blog. This post has apparently been both El Regged and Slashdotted but I think it is worth mentioning and it will be a pointer/reminder for me next time someone tries to convince me of cloud greatness. Crack away at Amazon!

Sorry for not updating the blog at all... I've been selfish and the result is a deeper knowledge in PHP and SQL. Been coding away day and night to gain some knowledge in those areas, which were two large white areas on my map. Blogs are coming your way soon again :-)

I can agree that the IBM Model M keyboard is good. I can even go as far as calling it the best keyboard ever (I even have one), although the clickety-clack sound drives everyone crazy if used, excluding the user. It is almost impossible to find one but today I came across this Wired article and seems I am not alone liking these. I really can't come up with anything bad about the keyboard except the annoying sound. Ergonomics.. pffft! The article even points at a manufacturer that ships replicas in a multitude of versions .

On the opposite side of all fanboyz and Redmond advocates this article's author has it all right . It's not about choosing the best OS for your computer, it's about choosing the one that sucks the least, and attitude, of course. "Seriously, stop it. I don't care if Mac stuff is better. I don't care if Mac stuff is cool. I don't care if every Mac product comes equipped a magic button on the side that causes it to piddle gold coins and resurrect the dead and make holographic unicorns dance inside your head. I'm not buying one, so shut up and go home." "Recently I sat in a room trying to write something on a Sony Vaio PC laptop which seemed to be running a special slow-motion edition of Windows Vista specifically designed to infuriate human beings as much as possible. Trying to get it to do anything was like issuing instructions to a depressed employee over a sluggish satellite feed." Yeah, well, he's right on both accounts!

Woke up this morning and almost choked on my breakfast. Vantage Credit Union goes banking through Twitter with myVantage. "With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It’s all available on Twitter, 24/7!" "So how is this mobile? If your phone can send and receive text messages and you’re on Twitter, you’re in! tweetMyMoney uses Twitter’s Direct Message feature to return the account information you request." Wow! Is the future or what!?!?! The person who thought this up might not be the sharpest knife in the drawer... Check out the videos :-)

Why do I bother, and why am I still amazed over these stupidities in US court orders and the consequences? One more for you: Rocky Mountain Bank (or rather one of its employees) sent out a mail to the wrong recipient at an gmail.com adress including personal information for 1325 customers. A big Oooops! This makes my brainwaves go in a direction: Why send that kind of information to a "nearly" anonymous mail server? I wouldn't send such a mail to someone who does not have their mail in a "trusted" domain like @bankdomain.com or @solicitor.com. And why the h*ll would Google comply to a request for closing that account? Is the person having that account really liable for receiving such a mail? Is it really his fault that a dumbass sends him confidential mail? Where did he go wrong? Questions answered by this article . Yes... Google refused to close it down... and Yes... google complied to closing the account. Wow! Update 2009-09-30: And apparently the innocent ...

We are all aware of that there are evil nets out ther called botnets. We've seen them do bad things like in Estonia a few years back during elections, Georgia during the Russian quick-fix invasion and so on. Now two different studies of these beasts have come to interesting conclusions. Trend Micro has had a deeper look into the lifecycle of a botnet member , which might be a PC, which might be a member of years. I just wonder if these are PC's forgotten in some attic or in a dark corner of a second floor hallway? Anyhow, if you put this in conjunction with a new Damballa study, which states that 9% of enterprise companies' computers are part of botnets it all starts to get scary. If these computers do not have updated AV/Malware scanners or patches in months, let alone YEARS (!!!) where is the security? Do they have any processes concerning security. You can't just forget about 9% of a company's computers. This is ridiculous.

Wow! This guy is really out on a mission impossible. His FAXX project aims to target applications on Facebook, both internal and 3rd party, and the intention is to make FB a safer place to be. All in all his eye-openers are being well received, as the applications are being patched. But as he also mentions, there will always be a 31st application with bugs and vulnerabilities.

Very very interesting reading from SANS, as usual. We tend to focus a lot on vulnerabilities on the OS level, be it *nix or Windows, but forget about stuff that runs on the OS. Applications and web servers, java, and mail and whatnot. After reading this report you will hopefully begin to understand the implications of the one-track-focus on operating systems and start looking up at the application level where the threats are getting (or actually have been for ages) more visible. So start patching now!

CEO Bob Carr of Heartland gave a webinar on the September 15th stating that you should be very careful when choosing QSA . "Don't just go out and grab the cheapest one", is the message (discussion during Q&A in the webinar). He is probably right, but what should the criteria be when choosing the QSA? Obviously you can't go by pricing. Is there any sites "classifying" QSA's? Carr states he paid $15k for a QSA to do their audit before the breach, and got a "go-ahead" from them after their audit. Apparently they didn't do their job too well. So after the breach Carr took in another QSA and said, "Just do your job, whatever it takes, find whatever vulnerabilities there are". Sorry to say, no pricetag for that kind of work has been disclosed... I'd really like to know!!!

One of my all time favorite TV chefs... well, calling Mr Floyd a chef is maybe too much. It seems he always cooks the same kind of stew, only with different ingerdients in every program. But hey, that's OK, because he was such a personality. Always happy and never too late too admit he was hung over, again. But on the other hand, that's easily cured by another glass of wine... or aquavit... or whatever with alcohol in it. You will be missed !

I know... geeky headline. It got your attention though :-) When your company is being audited by a PCI QSA (look it up, but if you're accepting payments with credit cards you know what it is) most people just sigh and get frustrated. I found this excellent four action point plan/advisory that will make your audit easier, if not a breeze. 1. Choose your vendor wisely 2. Lay the groundwork 3. Give the QSA access to key players 4. Don't treat the QSA like an enemy Read more about it here .

Now this takes RFC1149 a bit further. Usually those RFC:s released on AD-year April 1st are a bit of a joke, and apparently Norwegian lack that gene and took things seriously. What is more amazing, they got it working (and still struggling to convert my b/w tv to color with a little help of nylon stockings). I also seem to remember the olden days when the story went: "Where is the largest bandwidth over the Atlantic?", and the answer would be "That happens when the US Army sends back their backup tapes from Germany to the US in Hercules planes". Don't know whether that is/was true but a thoughtful story. Earlier this week Unlimited IT (South African) got frustrated with the bandwidth limits in the area, so they decided to put their trust in Winston, the 11-month old pigeon, trained to fly home when needed. This time the guys (I take it it is guys doing this type of geeky stuff) packed Winston's bag and beat the local ISP by running eights 'round the I...

Microsoft's patch Tuesday approaching again. This time five critical updates , depending on platform. But it seems a few of them go through the whole range of Windows releases, and therefore implies design flaws in the basis of the Windows code. More information coming.

Is the future of the social networks an Apple-like App Store function? It seems Facebook is heading there trying to protect their API policy, starting with greylisting, and warnings, before accepting the third-party application as "facebook compatible". MySpace might be going in that direction too. I'm not saying it is bad in any way, many friends on Facebook have been victims of worms in applications rendering crazy mail and messages to me. Always due to their curiosity in new applications and who wouldn't be interested in people that have a crush on you, or who visits uour profile most often... Me? Naaaah, it only happens to the other guy :-)

A new book coming out, Harboring Data: Information Security, Law, and the Corporation (Stanford Law Books) , caught my eye. And this interview with the editor of the book, Andrea M. Matwyshyn, makes me want to read it now. "People are using the Internet more, which is a good thing. But such information sharing is leading to additional points of vulnerability. Twenty years ago, there weren't databases full of such rich consumer information as we have today. The ease of sharing information through the Internet generates targets for information criminals." With an expected ~50% increase of internet users within the next four years the net must be considered as a paradise in cyber space for criminals.

Uh-oh... So this Japanese team claims they will break WPA-TKIP in less than 60 seconds and demonstration of this will be at IEICE in Hiroshima September 25th. As there are not so few of these implementations around the globe this will take WiFi security into a totally new level. This will also affect my favorite PCI-DSS in a major way since WPA is concidered safe, and even WEP is acceptable, if certain conditions are met. Mind you, this only affects WPA-TKIP, not WPA-AES nor WPA2. Pheww... or?

"Yeah, we’re weird, strange, introverted, use big words, and occasionally smell of pizza, but we do what we do ’cause we love it and because it’s hard and challenging." Have an inside look at your SysAdmin's thoughts. Why does he/she operate in that way? What makes their clocks tick? Every day should be a SysAdm appreciation day !

Oh Lord! Kiss is at it again. Their Alive 35 tour (35 for the amount of years since the band started, or is it the version number?) kicks off in Motor City September 25th. Will they come to Europe after that? As usual, money talks, and if enough is offered we'll see them here early 2010. And Mr Simmons promises this tour to be the best ever - louder, faster and more spectacular. Go figure. Security: Are you a victim of fake virus scans ? I've stated it over and over again: don't use anything to scan your computer with unless it is a well-known AV-scan. A pop-up offering free virus/malware scan when surfing the net is probably not one you need to try out. Incidents: Cisco AP's are giving away unencrypted information according to PCWorld/AirMagnet. Nothing in this story is new to me, NetStumbĺer, sniffing mac-adresses, airsnort, airodump-ng etc... What am I missing here? Update[1]: Ohhh... OK. Now I get it . Law/Hacks: Mr Gonzales isn't going to get an easy tria...

The weekend passed by with both sunshine and rain. I managed to stay away from the keyboard for lengthy periods. The Finns showed off their worst side at WC in athletics in Berlin. Four guys in javelin finals and none of them managed to get a shiny coin hanging 'round their neck. A former javelin champion (Seppo Räty) even commented on this: "We have four dudes in the finals, and not one of them could reach 82+ metres, which would have earned them the bronze medal. It was there, just get it. It was on sale, dammit!" Security: So the US Air Force finally decided where their cyber center should be. 24th AF in Texas won . World: A BBC'ers view on what youngsters hacking is all about. Google feeds them and takes the good ideas? World: And another view on hacker's lives comes from JimenaPulse. Quite the contrary from the BBC-blog, huh? Hacks: Just a friendly plug for Open Web Application Security Project ( OWASP ). It's a handy wiki to look at. Hacks: Alway wo...

No entry yesterday. And there's a reason why. Sometimes the dude has a lot of work and since this is a hobby blog it has to stand back while the monadas rules time. I also had buffalo meat for the first time in my life (if it really was buffalo), nothing exciting, tasted just like any cow. But it was a nice dinner (job related) with nice stories told. Incidents: From altar boy to Secret Service helper to Tony Montana. Here's a little background on Mr Gonzales, the guy that alledgedly took care of some 170 130 million credit cards. Law: Here's an interesting way of getting incident details from reluctant companies. Blame John Doe! Hacks: And now for the next level of ID-thefts . Web browser hacking real time. Interesting: Opera browser is the preferred hacker browser , this article claims. Interesting or not, what is more interesting is how the statistics were gathered. Incidents: The social engineering whiz kid Kevin Mitnick had his data breached a while ago. Now AT...

So the first signs of fall appeared today. First day in weeks I couldn't tak the bike to work. Schools stated today and hence I had to take my older boy to school in the car. Ah well, all good things must come to an end. Maybe I will have the time to take apart the bike and customize it in the ways I always planned to. Or maybe it'll just come to taking out the battery for witner care, as usual. But I'll keep on dreaming. Hacks: Social skills are as important as programming knowledge when it comes to penteration testing [or it could be used in malicious ways of course, but we don't, ringht?] and the creativity amongst people obtaining knowledge never ends to stun me. Hacks: Ethical hackning seems to be popular title to hide behind. Here's a security primer on how things can be done, written in proper English and not the hacker jibberish nerds speak. Hacks: More on social skills , or sort of. How do you use your mail? Do you have different mail accounts for diff...

The press is calling it the biggest credit card fraud ever prosecuted. 130 million numbers were stolen from 7-eleven, Hannaford and Heartland. Now it's time for USA to try the case in court. You can read the full indictment here . Incidents: Uh-oh... this clever hacker/group didn't see the sh-t hit the fan, until it was too late . But then again I guess he was laughing too much to notice. Oz police obviously knows about honey-pots. Security: IEEE has put together a group called ICSG (Industry Connections Security Group). What it aims for is to pool experience and resources of "heavyweights" as McAffee, Symantec, Microsoft etc. I believe there will be interesting discussions in how to pin-point and deliver from this group. World: ID-hijacking in cyber warfare - and how you can be caught in crossfire without even noticing it. Russia vs. Georgia war last year apparently used US-citizens ID's to deploy bits and pieces at the cyber frontier. World: Larry Wals...

Oh boy... 9.58... how fast is that! I knew he had it in him (since i read blogs ;-)) but that is just amazing. I thought I had missed it watching another channel, but they were late and I got to see the event, and the cheeky bastard looked at the clock at the end. Congratulations to the new world record Mr Bolt. World: Anakata, of Piratebay fame, had a blast at HAR (Hacking at random) in Holland during the weekend. Tim Kuik ( BREIN , who won a case aginst Piratebay two weeks ago) got into a clash with Anakata during a panel discussion. Patch: It takes an average 29.5 days to get computers patched against vulnerabilities. Why does that ring bells and why does that correlate to monthly patching schedules from a large Redmond company? Can there some truth behind 0-day exploits being released just after patch Tuesday? Security: I don't agree with this writer . I don't think firewalls are necessary at all. In a majority of scenarios they do nothing at all to secure your comput...

I just can't let this pass by without posting at least a collection of links discussing the CSO magazine interview with Heartland CEO Robert Carr. By chewing off this huge portion of his foot he stirred up the PCI-DSS community big time. Links can be found here . And my personal favorite from Andy ITGuy.

Riding home from work today I barely escaped the rain. On Tuesday I wasn't as successful as the rain drenched me. And the weather people "promised" the weather would change to Mediterranean style due to global warming. I guess they were as accurate as always when trying to predict the weather, even for the next day. I wouldn't mind a few more sun hours à la Spain's south coast, though. Maybe my garden would actually produce some veggies and fruit for once, as it is now the summer is too short for any significant growth of anything. Bring it on! Incidents: Conficker just doesn't give up. Goes on and on forever it seems. We had serious infections earlier this year in Sweden when hospital computers went out of service due to Conficker. In Missouri City computer and phone networks gave in Thursday morning. Hacks: Have you ever used the "Free Public Hotspot" WiFi service? They seem to pop up everywhere , not just airports. They are seldom free, you nor...

Sweden beat Finland in football /that is spelled soccer for you in the states/ and nothing is new... Finns only know about engine sports, like motorbikes and rally cross or Formula 1, oh... they've got saunas too. Patch: Oh well... and we thought Oracle was bad at releasing bugfixes. Seems Microsoft is neglecting some reports too . Law: I know everyone is commenting Microsoft not allowed selling MS Word... but it is just so amazing . How can a local judge in eastern Texas make a ruling like this? Maybe I just don't understand ... Hacks: One would wish that applications for schools could be kept within a few people, but not. UC Berkeley Graduate School of Journalism let some info out . This time the breach only affected 493 people, but in May Berkeley had some more to think about. Big Brother: President Obama's efforts to get the CyberCity czar in place seems difficult, to say the least. Am I right in (reading between the lines) thinking that people in office realize th...

At first I had no idea what this guy was ranting about ... then I got to the pun... Almost laughed my pants off.

Well... in America (I guess USA) it is. Although Damballa's site has a nice "real-time" map of ongoing netbot activity.

Not a good day to start with. Came down with some kind of major flu, feel feverish, joints ache, and nose running worse than Niagara falls. Yeah, I know, I'm a guy, and as soon as something, however minor, hits, I'm (all guys) become helpless little puppies squeling for mercy and enter the state of not being capable of anything... And this can never be emphasized enough. Passwords are not for fun (only). Even if everyone in security gives talks and lessons, and everyone else nods "Yes, we understand", still, breaches are very common due to weak passwords. Just follow the guidelines . PCI-DSS: A new version, 1.2.1, has been released . No spectacular changes made. Mostly clarifications, redundancy removals and spelling corrections. If you want to be up-to-date, the documents can be downloaded here: PCI-DSS , PA-DSS and PA-DSS Program Guide . PCI-DSS: Small merchants have a higher awareness of PCI-DSS today, compared to a year ago, according to this study Not surpris...

A lot of buzz going on about DDoS and how to prevent them. Now, this will probably take a while, so don't hold your breath or wager your last savings. Since the pipes to your site/ISP is just so wide you can't do much to prevent bad things happening when a 100k of computers start throwing garbage (or legitimate for that matter) requests at your stack. Even force feeding your goose to get your daily dose of foie gras has it's limits, no matter what kind of feeding mechanisms you use. DDoS will be around for a long while, so let's just pray you will not be the victim of such an evil attack, even though these are short term (hours/days) and eventually will go away when a new and "nobler" cause comes the attackers way. And now to today's links: PCI-DSS: Oh no!!! Not that PCI-thingie again! Well, you'll hear a lot about it, not just here. It's here to stay. It's a good start, and if you comply you're well on your way of securing your network....

Warm weekend went by with good food, drinks and beach. Somewhere along the way a few movies went by on the telly, none worth mentioning though. Seems there are fewer and fewer to even mention these days. Guess before too long I will claim things were better in the olden days... Weekend links has very little to do with computers as it seems not much of interest has happened in that area: World: ETA, the Basque liberation group raised their voice , this time in Mallorca, the holiday paradise island for a lot of Europeans. World: What is it with the Hudson river? Another crash during the weekend, this time a helicopter and a plane collided. World: Finland takes gold in world sauna championships ... Like that would come as a surpise? Interesting: So it takes 10.000 hours to become an expert at something. How long does it take to become intermediate at something? Good enough to get paid for the work in, let's say, C programming or networking? Not everyone can be called an expert, ...

Thought I'd start contributing interesting links. Mostly security related stuff concerning computers, networking et al. Incidents : The twitter DDoS incident apparently was triggered from disagreement with a sole blogger. Facebook got some heat from this too. Security: Databases are often bypassed when it comes to securing information. Even at large companies. Here are some guidelines to cure that illness. Interesting: So you thought DNA only was good for designing/programming your bodily functions and shapes? How wrong have you been? Nano-beachball, anyone? Big Brother: Has Apple had enough of replacing gadgets due to consumers handling their equipment wrongly? This patent seems to be some kind of "Black Box" equivalent for iPhones/iPods/iWhatever that records abusive handling of Apple gadgets so the customers can't claim replacement too easily. Patch: Microsoft hasn't had much of a holiday season. Busy bees at Redmond have been releasing patches at a bla...

This probably can be applied to any security, but I will look at it from an IT guys perspective since that's where I'm sitting looking out over the fields. Once the day comes and your network/computer is breached through loopholes or badly patched systems or whatever it may be it will cost your company (a lot of) money. It can be through information theft, goodwill or just plain hooliganism deleting important data. This cost is often credited as a "non-foreseen" cost and your security department will get questions why this or that happened and why the department costs so much money to run, to begin with. What the people with the money bags often don't realize that this cost comes from executives "saving" money earlier on by launching services/applications that weren't ready for launching. "Let's skip this, we can fix it later" kind of mentality so the money starts pouring in as soon as possible. Mentality like that will eventually bite ...

It's weird. Swedish deputy state prosecutor Mikael Hammarstrand wants to charge health professionals prescribing birth control pills to girls under the age of 15. This due to the fact that girls under 15 aren't allowed to have sexual intercourse under the Swedish law. It makes me draw parallels to The Pirate Bay prosecution in Swedish court where IFPII et al claims that TPB is responsible for distributing copyrighted material through their servers. Makes me wonder: - Should hardware stores be prosecuted because they sell hammers that can be used to smash peoples heads? - Should the state be prosecuted because they make highways available for criminals to use as a getaway? - Should car manufacturers be charged because people die in crashes? - Should McDonalds be charged because they sell coffee which might burn people's tongues? (Oh wait...)